Yet another vulnerable plugin was recently discovered by the Wordfence (Defiance) team. Two security flaws were unveiled in Quiz and Survey Master (QSM) WordPress plugin installed on more than 30,000 sites.
Quiz and Survey Master is easy to use add on for websites. It lets people create various quizzes and surveys for WordPress sites. This website widget is also suitable for the creation of other interactive forms such as polls and questionnaires. One of the features of this website tool allows site owners to implement file uploads as a response type for their quiz or survey. This feature could be useful in a number of scenarios but hackers could benefit from it as well.
Unfortunately, this feature of the Quiz and Survey Master WordPress plugin was identified to contain two security flaws. The flaws, rated as highly critical, could lead to remote code execution attacks where attackers upload arbitrary files or delete files from the targeted site, such as wp-config.php. These actions could lead to taking affected sites offline or taking control over them.
Quiz and Survey Master Plugin Flaws Fixed
Fortunately, after the disclosure of the vulnerabilities, they were fixed:
We initially reached out to the plugin’s team on July 17, 2020 through their support forum and followed up again on July 21, 2020. After another week of no response, we reached out to ExpressTech, the plugin’s parent company, on July 28, 2020 … They responded on August 1, 2020 confirming the correct disclosure inbox, and we sent the full disclosure details over on Monday, August 3, 2020. A patch was released just a few days later on August 5, 2020, the report says.
The two vulnerabilities are found in a plugin’s feature that enables site owners to implement file uploads as a response form of a quiz or a survey. Let’s say that a website has a job-application questionnaire. The feature is an ideal solution for the upload of a PDF resume or a file in another format at the end of the process.
As found by researchers, this feature was insecurely implemented as it was set to verify file type only by checking the ‘Content-Type’ field during an upload. This check appeared to be insufficient for a secure way of implementing this feature. Which means that it could be spoofed easily. For instance, if a quiz with a file upload step is configured to accept .txt files only, hackers can upload an executable PHP file as a text file which will enable them to bypass the plugin’s checks and successfully deliver malicious code to website owners.
Fortunately, the functionality has to be enabled and configured for a quiz in order to be easily exploitable. Therefore, most of the sites that have it installed on the panel are unlikely to be exploited by this particular flaw.
The second flaw is also flagged as critical. It can give attackers the chance to delete any arbitrary file from the site. This vulnerability can be exploited by hackers who can establish high-level permission access. Both these flaws can allow an attacker to take over the control of the entire website and the hosting.
The flaws are described as Arbitrary File Upload. There is still no CVE designated, but the CVSS score is 10.00, which means critical. Thus, users of the Quiz and Survey Master WordPress plugin should update to version 7.0.1 immediately so that their sites’ can be protected against any attacks attempting to exploit these flaws.
For the sake of website security, it is highly recommended that WordPress site admins provide only credible users with access levels greater than subscriber-level. Furthermore, don’t forget to set up strong passwords on these accounts so that attackers can’t use them as a means of intrusion.
Earlier this month, Wordfence researchers discovered several flaws in the Newsletter plugin for WordPress. One of the flaws was recently patched, and the other two, which were more severe. The latter flaws were a reflected cross-site scripting (XSS) bug and a PHP Object Injection issue. Fortunately, after contacting the plugin’s authors, the vulnerabilities were quickly addressed in a new press release.